finance performance and cyber
play

Finance, Performance and Cyber Assurance Event 30 th September 2019 - PowerPoint PPT Presentation

Welcome to the Finance, Performance and Cyber Assurance Event 30 th September 2019 Principal Hotel, York The Roles of the Audit Committee and Finance Committee with regard to Finance and Performance Bryan Millar Audit Committee Chair at


  1. Examples of Support • Focused service improvement initiatives e.g. maternal and neonatal health and safety collaborative • Practical help to address key improvement priorities e.g. Emergency Care Improvement Programme • Leadership development, coaching and mentoring • Resources to help develop capability to improve and apply evidence-based improvement methodologies • Resources to help improve quality, efficiency and productivity including the Rightcare, Model Hospital , Getting it Right First Time, Bronze Pack • Targeted financial recovery support • External specialist support • ICS/STP transformation programmes • Dedicated support and development for organisations in (or at risk of being in) licence breach, special measures or directions The same issue will result in different NHSE/I-directed support depending on the capability and capacity for improvement demonstrated by the organisation and system (some of which the organisation may be required to fund) 25 |

  2. Vote Now My organisation has highly effective arrangements in place to predict and mitigate risks to delivery of the performance and financial expectations of NHSE/I 1. Strongly agree 2.9% 2. Agree 48.6% 3. Neither agree or disagree 40.0% 4. Disagree 8.6% 5. Strongly disagree 0.0%

  3. Vote I am confident that if performance were to be Now significantly off track on a key metric, our organisation can demonstrate the necessary attributes to minimise NHSE/I escalation and mandated support 1. Strongly agree 3% 2. Agree 35% 3. Neither agree or disagree 57% 4. Disagree 5% 5. Strongly disagree 0%

  4. Emerging role of Systems NHS England and NHS Improvement

  5. Working as Systems • Increasing emphasis on role of systems at local (Place) level and STP/ICS level in supporting improvement and delivery of the Long Term Plan across the NHS • Relies on collaborative and partnership approach • As systems mature they are expected to take greater shared responsibility for overall quality of care and use of resources for their population • South Yorkshire and Bassetlaw Wave 1 ICS • West Yorkshire and Harrogate Wave 2 ICS • Cumbria and North East Wave 3 ICS • Humber Coast and Vale STP ICS role increases as partnership maturity, governance and capability is demonstrated, with commensurate reduction in NHS England and Improvement role The LTP committed to every STP becoming an Integrated Care System (ICS) by 2020/21. 29 |

  6. System Maturity Matrix • Provides characteristics of STPs and ICSs at different levels of maturity along the following domains: • System leadership, partnerships & change capability • System architecture, financial management and planning • Integrated care models • Track record of delivery • Coherent and defined population • A “thriving” ICS will be able to demonstrated robust governance, advanced progress and real system- working at all levels, across each of these components • For Regions to use when determining whether a system is ready to become an ICS 30 |

  7. What does this mean in practice – in year Finance and performance oversight and improvement example • ICS governance leads to cessation of NHSE/I routine IAF and QRM meetings, replaced by ICS-led quarterly local (Place) discussions • If organisation performance is off-track the ICS leads escalated performance oversight and improvement, supported by NHSE/I teams* • ICS operates ‘offset’ of individual organisation over - performance and under-performance within ICS overall control total and trajectories * Up to the point of formal regulatory action which remains NHSE/I responsibility Transformation example • Transformation funding is allocated to ICS • The transformation programme, and the use of resources to support delivery, is determined by the ICS 31 |

  8. What does this mean in practice – Planning • Capital investment priorities are informed by STP/ICS through estate strategies and STP capital submissions • ICS/STPs are responsible for NHS Long Term Plan (LTP) submissions for collective delivery and each organisation’s trajectories within that • More mature ICS’s are leading the process, supported by NHSE/I teams (and vice versa) • All commitments must be reflected as they have already been prioritised • The application of some financial framework flexibilities will be influenced (determined?) by ICS’s 32 |

  9. Key elements of the Long Term Plan financial framework • Organisational control totals Control • STP/ICS system control totals Totals • FRF allocations will reflect ICS Financial and organisation trajectories, Recovery supporting financial stability & improvement Fund • Size to be reduced over 5 year (FRF) period • ICS trajectory set Financial nationally • Organisation trajectories trajectories subject to ICS/STP discussions Payment • Blended payment model • Reform of CQUIN Reform framework

  10. Vote Now System working makes individual organisation governance and decision making more complex 1. Strongly agree 47.6% 2. Agree 42.9% 3. Neither agree or disagree 7.1% 4. Disagree 2.4% 5. Strongly disagree 0.0%

  11. Vote Now System working will change the decisions that my organisation will take at board and operational level, and how it will take them 1. Strongly agree 23.3% 2. Agree 46.5% 3. Neither agree or disagree 25.6% 4. Disagree 4.7% 5. Strongly disagree 0.0%

  12. Any questions? 36 |

  13. Assurance Framework Benchmarking Elaine Dower & Jasper Cain

  14. Background • What have we done? – The objectives identified in Assurance Frameworks – The Risks identified by organisations – Finance and Workforce Risks – The design of Assurance Frameworks • Why are we doing this? www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  15. Some highlights from the data • Providers: 4-32 risks on BAF • CCGs: 3-36 risks on GBAF • Providers: Largest number of risks against Patient Care and Safety objectives • CCGs: Largest number of risks against Commissioning objectives • Financial Sustainability objective 2 nd for both types of organisation. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  16. • Scoring of Risks on AFs: - approximately 50% were ‘Medium’ risks for both Providers and CCGs. • ‘Governance’ risks now most frequent category for Providers – these are risks identified against all categories of strategic objectives which have failures/poor governance as a ‘cause’ or ‘uncertain event’. • For CCGs the most frequent category is Quality Assurance of Providers (followed closely by Partnership Working). www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  17. • A specific look at the Workforce risks identified that the biggest sub-category was ‘Staffing’ (numbers) for both Providers and CCGs. • A specific look at the Finance risks identified that the biggest sub-category was ‘Sustainability’ for both Providers and CCGs www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  18. Risk Management • Most clients identify the purpose of the AF as a strategic risk management tool. • The definition of risk: “effect of uncertainty on objectives” (ISO 31000:2018). www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  19. Strategic Objectives • It is not always clear what success would look like for the Strategic Objectives as written. • Whilst this is understandable, it can often lead to a lack of clarity in the risk identified. • Risks not specifically linked to an objective or risk descriptions are not written in a consistent way: www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  20. Assurance on Risk Management Processes • How do you monitor the effectiveness of Risk Management systems and processes? • A significant number of AFs do not easily facilitate this monitoring as they don’t include fields such as: – Date risk identified – Initial, Current & Target Score – Risk appetite or Risk tolerance (and/or link between risk appetite and risk target score) – Visual tracking of score over time www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  21. Overall Assurance Only 3/19 Provider BAFs and none of the CCG GBAFs identified an overall assurance level to provide a regular and visual assessment of the level of assurance the relevant Board/Governing Body Committee has taken from the controls and assurances outline and therefore the likelihood of mitigating the risk to target level and still achieving the associated strategic objective . www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  22. Use of Resources John Cotterill Business Associate (seconded NHSI UoR assessor)

  23. KLOE Areas • Clinical Services • People • Clinical support services • Corporate services, procurement, estates and facilities • Finance www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  24. Key Messages • The extent to which non-executive directors were involved in the NHSI assessment visit varied. Most often the Board Chair attended, at some trusts the Finance Committee Chair and Audit Committee Chair also attended. • Actions to address UoR findings tend to be incorporated in wider ranging plans (e.g. CQC Action Plan). • In some cases actions are being monitored and reported to service committees such as Workforce and Quality Committee. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  25. Key Messages • Trusts noted that UoR assessments are influencing NHSI’s approach to supporting non-specialist hospital trusts. • In some cases UoR reports are being used pro-actively as a further source of assurance and are feeding into Annual Governance Reports and external audit UoR assessments. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  26. Top Tips • Ensure that you understand the Model Hospital data and are able to give an explanation of the trusts position. Remember comparative high cost in itself is not necessarily a negative story. Consider what benefits there are to patients and stakeholders from the trust investment. • Don’t overlook the obvious. Relatively minor improvements can often have a significant benefit to patients. • Don’t treat the assessment as purely a finance related exercise. Finance is only one of the five KLOE areas, try and give equal weight to all five. • Remember that the assessment is heavily based on performance over the last 12 months. Do not overly focus on governance issues (strategies/plans/etc). These are mainly covered elsewhere within the SOF. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  27. Top Tips • Make best use of the commentary. • Learn from others – engage with local/similar trusts who have had assessments – what worked for them and what did not. • Involve ‘patient facing’ staff in the assessment process. They are often best placed to relate how service delivery is benefiting patients – personal stories are powerful. • Involve non-executive directors in the assessment day particularly in the introductory session. Identify a role within the presentation team e.g. give an overview of the area served by the trust and the demographics. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  28. Investigations Approach and lessons John Lester, Head of Investigations NHS England and NHS Improvement

  29. Agenda 1. The regulatory framework 2. Triggers for an investigation 3. Investigation process 4. Lessons and themes 53 | 53 |

  30. 1. The regulatory framework NHS England and NHS Improvement Monitor NHS England TDA NHS Provider Licence NHS Oversight Framework 54 |

  31. Regulatory tools Foundation trusts Requiring Binding Governance Informal action action commitments requirements S111 S105 S106 additional requirement Undertaking licence condition Trusts Informal actions / Statutory powers of direction CCGs Support regime / Statutory powers of direction 55 |

  32. 2. Triggers Operational Finances Quality performance • Variance from plan Longstanding failure Lack of pace in • Sudden to meet standards implementing CQC deterioration Sudden requirements • Financial deterioration in performance governance concerns Strategic change / leadership and improvement 56 | 56 |

  33. Factors influencing the decision Robust Capacity to improvement deliver plan plan Understanding Views on of the issues culture and causes Views on Track record leadership of turnaround team 57 | 57 |

  34. 3. Investigation process Document Interviews and data review Observations Step 1 - Decision to Step 3 - During an open an Investigation Investigation Step 2 - Step 4 - Investigation launch Concluding an and setup Investigation Report Informal Document Scoping feedback request Decision 58 | 58 |

  35. A diagnostic approach Service configuration Local health economy Trust Does the configuration of the local Is the local health and care system being health and care services hamper the Is the trust being effectively managed and led in order led and managed effectively? trust’s ability to provide high -quality to provide high quality and efficient services? sustainable services? 7. Efficiency 10. Leadership 5. Capacity 6. System 8. Operational 2. Scale of core 3. Funding 4. OOH care to meet management and 9. Quality and 1. Geography flows performance services demand & integration productivity governance 59 |

  36. Interviews What are we looking for? • Understanding of drivers of performance issues • Articulation of how issues are being addressed • Insight into culture • Understanding of governance • Articulation of organisation vision, values, strategy • Key risks and their mitigations • Candour and insight 60 | 60 |

  37. Vote Now 4. Lessons and themes Governance How would you rate committee effectiveness in your organisation? The committee spends the right amount of time on each of its areas of business 1. Strongly agree 8.6% 2. Agree 51.4% 3. Neither agree or disagree 34.3% 4. Disagree 5.7% 5. Strongly disagree 0.0% 61 |

  38. Vote Now The committee does a good job in relation to risk management 1. Strongly agree 2.9% 2. Agree 44.1% 3. Neither agree or disagree 47.1% 4. Disagree 5.9% 5. Strongly disagree 0.0% 62 |

  39. Vote Now The quality of discussion and challenge is high 1. Strongly agree 10.3% 2. Agree 43.6% 3. Neither agree or disagree 41.0% 4. Disagree 5.1% 5. Strongly disagree 0.0% 63 |

  40. Vote Now The committee has access to high quality information 1. Strongly agree 5.4% 2. Agree 48.6% 3. Neither agree or disagree You may want to 37.8% consider… 4. Disagree • Quantity 5.4% • Clarity 5. Strongly disagree • Timeliness 2.7% • Relevance • Reliability 64 |

  41. Governance Agenda • Linking to risk • Strategic versus operational Risk management • Board Assurance Framework Challenge and discussion • Exec/NED relationships • Identifying vs dealing with low assurance 65 | 65 |

  42. Governance Quality of information • Board vs committee papers • Detail vs brevity • Forwards/backwards • Drivers of financial position • So what? 66 | 66 |

  43. Cultural challenges • Autonomy vs central control • Reluctance to performance manage / challenge • Sense of accountability • Planning over action • Engagement in finances 67 | 67 |

  44. Sudden financial deterioration Trust A 16/17 plan: £6m surplus Forecast at M6: (£27m) deficit Trust B M6 17/18: On track against £1m CT M7: Reforecast to (£54m) deficit Emergency loan finance 68 |

  45. What were the red flags? Agency Cash overspend Working CIP capital BPPC delivery facility Divisional Capex variances 69 |

  46. Board culture • NED challenge curtailed by CEO • Management of information shared with NEDs • Executive to executive challenge actively discouraged • Joint executive responsibility for finances discouraged • FD had a ‘closed’ style • Lack of escalation • Reassurance over assurance • Board not reflective or open to change 70 |

  47. Financial reporting • Underlying position • Changes made to reports over time • Risks and forecasts • Commentary on performance trends and variances • Planning information for committees • Lack of aged debtors/creditors information • Lack of cash flow reporting 71 |

  48. Financial scrutiny • No triangulation of individual areas of concern • Cash risks not discussed • Most execs had no exposure to Finance and Performance or Audit Committees • Limited ad hoc NED attendance at other committees • No financially qualified NEDs on F&P Committee • Over-reliance on audit opinion for financial assurance 72 |

  49. Financial scrutiny (cont.) • Weaknesses in reporting from F&P to Board • NED requests for information ignored and not followed up • Ineffective divisional performance meetings • Little financial scrutiny at ExCo 73 |

  50. What changes have the trusts made? Cross Finance report New leadership committee redesign membership Improved Chair involvement in F&P refocus divisional committees meetings Better comms 74 |

  51. Questions 75 | 75 |

  52. Panel Discussion Chair: Bryan Millar, Audit Committee Chair at Airedale, Wharfedale and Craven CCG, Bradford Districts CCG and Bradford City CCG Panellists: Cathy Kennedy, Director of Operational Finance (Yorkshire & Humber) at NHS Improvement and NHS England John Lester, Head of Investigations at NHS Improvement and NHS England Paul Barnes, Head of Operations and Engagement - Cyber Security at NHSX John Mallalieu, Lay Member - Finance and Performance at Calderdale CCG Chris Thompson, Audit Committee Chair, HDFT

  53. Avoiding the Bait Andy Mellor & Tom Watson

  54. Accessing ESR www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  55. Vote Now Real or Fake? 1. Real 54% 2. Fake 17% 3. Don't know/ can't tell 29%

  56. A mundane email www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  57. Vote Now Real or Fake? 1. Real 14.3% 2. Fake 77.1% 3. Don't know/ can't tell 8.6%

  58. ESR on a mobile device www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  59. Vote Now Real or Fake? 1. Real 11% 2. Fake 50% 3. Don't know/ can't tell 39%

  60. Activating your office licence www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  61. Vote Now Real or Fake? 1. Real 3% 2. Fake 86% 3. Don't know/ can't tell 11%

  62. What were the website clues? www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  63. What were the email clues? • Unexpected? • Who from… • … is sender spoofed? • Who to? • What are you being asked to do? • Sense of urgency? www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  64. www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  65. The risk to you? www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  66. From Tim Thomas <no-reply@linkedin.com> Sent Mon 23/09/2019 16:34 To Andy Mellor You have unread messages from Tim Thomas Hi buddy – could you please spare a couple of minutes to complete a survey for me? http://tinyurl.com/37gcEy www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  67. What if… Graham receives an email from the Dani receives an email from Maz at Director of Finance at Harrogate & Lincolnshire Community Health Services District FT saying that Andrew has Shirley receives an email from Mark at to share some information “you might passed on his details… Leicester Hospitals with a link to find useful” – just access the secure NHS “ some photos from a recent office party portal using your user credentials that you might find interesting ;-) ” www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  68. … and what have we found? • Users remain susceptible to phishing emails • Response rates vary from 5% - 15% • A small number of users are generally susceptible to harvesting their credentials – and it might only take one to compromise a network • Users respond surprisingly quickly to phishing attacks! • Mandatory training doesn’t eliminate the risk • Is the NHS culture/ response sufficiently tough, compared to industry? www.360assurance.co.uk @360Assurance www.audityorkshire.nhs.uk @AuditYorkshire

  69. Cyber Assurance Managing cyber security at a strategic level Paul Barnes, Head of Operations & Engagement 30 September 2019

  70. Session overview Board Threat framework – 7 landscape and key principles cyber risk Support for NHS Regulation organisations

  71. NHSX overview • A new joint team focused on accelerating the digitisation of health and care • Bringing together expertise and talent from multiple ALBs • Providing consistent and coherent digital policy • Leading the development of strategy, programme and project delivery

  72. NHSX Cyber Security Team What we do:  Lead a programme to strengthen cyber resilience across health and care to ensure organisations comply with relevant standards  Raise awareness and understanding of cyber security risks and issues, promote funding opportunities and NHS Digital services  Provide assurance on requirements for reporting and incident planning How we do it:  Work in partnership with NHS Digital and other arms length bodies  Engage with NHS England and NHS Improvement regional teams – ensuring that organisations are clear about their roles and responsibilities Why we do it:  To improve and enhance cyber security and promote awareness of the importance of keeping patient data safe and secure  To ensure that NHS organisations protect patient data and are able to respond effectively in the event of a data breach  To build public trust and support safe patient care

  73. Vote Now How would you rate your knowledge of cyber security? 1. Excellent/detailed understanding 13% 2. Average 56% 3. Some limited knowledge 29% 4. No knowledge of cyber 2%

  74. The threat environment across health and care: March-Sept 2018 50% More attacks compared to the same period in 2017 15.7m 3.52m New pieces of Intrusion attacks malware against health identified and care globally globally ~5.5bn Potentially malicious emails have been blocked by the NHS alone

  75. Cyber Security Operations Centre NHS Digital’s Data Security Centre prevent, detect and respond to cyber attacks in real time. In the last 3 months alone, the centre has prevented:  Over 21 million potential cyber attacks  640 million phishing attempts

  76. WannaCry Ransomware Cyber Attack

Recommend


More recommend